Policy | Security | Investigation

delete ESI

January 25, 2010

If you seek to cause Facebook to disclose the content of communications to or from a Facebook user, remember that the user's home or business email account may contain much of the information you seek. (The same goes for LinkedIn, Foursquare, Yelp, Skype, Groupon or online dating sites and services.)

The email account may contain some of the messages the user posted on Facebook. Facebook allows a user to submit, via email, updates for publication on his or her Facebook Wall. See my records management discussion about the Facebook-update-by-email feature.

Further, Facebook often emails a user with notices about and/or copies of content of messages posted by others for the benefit of the user. For example, here is a screenshot of an email from Facebook:

Hence, the user’s email account may contain the content and date/time of many desired Facebook messages, even those messages (ESI*) that have been deleted from Facebook.

Records on Cell Phones

Another place to look for Facebook notices and content may be SMS records on the user’s cell phone. Facebook can be configured to send certain notices (with copies of FB message content) to the user’s SMS account. The types of notices that FB sends to SMS are not as numerous as the types that FB may send to electronic mail.

Service Providers Resist

Normally, when handed a civil subpoena, such as in a divorce, infidelity or child custody investigation, a service provider like Facebook (or Hotmail or Google ) will resist disclosing the content of a user’s communications unless and until the user consents. A common rationale cited for resistance is that the content is protected under the Stored Communications Act.

Compelling User to Cooperate

Often, law will compel the user to consent to the service provider releasing records of communications. Some recent cases have been compelling users to turn over, to their adversaries, their social media user ID and password.

Metadata and other Non-Message Content Data

See practical discussion on the retetion and disclosure of text and other messages by service providers. Service providers may see a distinction between the content of messages and metadata about the messages, such as time of transmission. Some service providers believe they can be compelled to turn over meta data but not message content.

An emerging class of social media services (Foursquare.com, Yelp, Gowalla) collect and store not just messages, but also location information. John was at the burger joint on May 11, 6:33pm, and at the ball park May 12 at 7:07pm. This data will be the target of subpoenas. The degree to which service providers will resist the subpoenas remains to be seen.

Related article: How to record what you see on Facebook or other online media.

Update 2013: Facebook sent an SMS text to my phone telling me it will begin sending me a steady stream of text messages regarding FB activities of my friends and me . . . unless I opt out. So the default at FB (at least for a user like me) is to send lots of text messages to my phone that refer to activity in my FB world.

January 24, 2009

Electronic Records Had Been Discarded Under Interpretation of Retention Policy

Why Allow Deletion If Government Must Later Restore Records?

A county's formal policy on e-mail destruction failed to save it from the cost of recovering deleted e-mails in a lawsuit under Ohio's Public Records Act. Like FOIA laws in other states, Ohio's Records Act requires state government agencies like counties to disclose records to citizens upon request.

The case in question is a decision by the Ohio Supreme Court, State ex rel. Toledo Blade Co. v. Seneca County Board of Commissioners, 2008 WL 5157733 (Ohio Dec. 9, 2008). Plaintiff sought e-mails of county commissioners concerning demolition of an old courthouse. The county turned over some e-mails, but plaintiff managed to show that some relevant e-mails were missing because they had been deleted. It made this showing by analyzing the e-mails that were turned over and proving some logical gaps appeared within them. Also, some commissioners admitted they had deleted some of their relevant e-mails.

Forensics Reverses Written Policy!

The county's written policy allowed each user to delete e-mail that the user deemed to be of "no significant value." (Some people call such e-mails "non-records".) Such a policy is a version of the make-a-decision style of e-mail (text and instant message) records management, where users are expected to decide the destruction/retention fate of each message.

After the court determined that some relevant e-mails must have been deleted, it observed that through the use of forensics measures some e-mails might be recoverable from commissioner hard drives. The county argued it should not be required to restore deleted e-mails because they had been deleted in accordance with the county's record retention policy, which the county had adopted in good faith. Further, the county argued that forensics measures are excessively expensive.

The court disagreed with the county. The court ordered the county to undertake costly forensics steps to search for and restore deleted e-mail records that met certain criteria – all at the county's expense.

Different Retention Policy Needed

Gadzooks! If a government agency is required under a FOIA to incur great expense to recover deleted e-mails after officials had determined -- under a formally-adopted policy -- that the e-mails were of "no significant value," then it makes no sense to let officials delete e-mails in the first place. Such a make-a-decision style of policy is unworkable because it will cause the government regularly to employ expensive forensics to recover deleted records. As a policy matter, the government is wiser just to archive copious records and take decision-making out of the hands of individual users.

I have long questioned e-mail retention policies (the make-a-decision policies) that emphasize a user examining each particular message and then deciding whether to destroy it or to keep it. But some learned people disagree with me. An argument they sometimes make in favor of the make-a-decision style policy is that it mimics how paper was handled. With paper, they argue, lots of documents came across the desk of each official. The official would decide whether to throw the paper in the trash can, or to place it in folder A, or folder B or folder C.

Yet this Toledo Blade case demonstrates that e-mail is different from paper. Even after e-mail is deleted, it can still be recovered forensically. The cost of recovery can be high, but this court forced government to incur that cost.

Technical footnote: The court ruled the commissioners had probably violated the county's policy by deleting e-mails that were of significant value, when the policy said that only insignificant records would be deleted. However, this detail should not change our understanding of the case's import. From the point of view of someone writing records management policy, the risk is ever-present that a court will second-guess users after-the-fact. Looking back at past decisions, a court can always say, "user should not have allowed that e-mail to be deleted" or "user should have placed that e-mail in retention category X rather than retention category Y." Users always make records management mistakes, and thus leave an enterprise constantly exposed to the threat of having to employ forensics (after-the-fact) to reverse user decisions. Therefore, the policy writer is motivated just to remove users from retention/deletion decisions.

Background: One of the purposes behind Freedom of Information Acts -- and public records acts generally -- is to enable citizens, FBI, police and internal auditors to investigate public officials for fraud, waste, corruption, embezzlement, conflicts of interest and misappropriation of funds. The ever-present possibility of such a probe motivates officials to be fair and honest.

October 11, 2008

Departure (dismissal) of an employee does not justify destruction of his e-mail records stored on employer equipment. Those records are not the property of the employee or (normally in the U.S., with some qualifications) the vessel of his privacy. The records are an asset of the employer, showing what the employee did in his capacity as an employee and agent of the employer and how he was supervised.

In our changing economy, employers are learning how to get the same productivity with fewer people. As they let some employees go, the email records of those employees are part of the employer's valuable institutional memory.

Wasting Manager Time

A manager is wasting her time if she paws through a departing employee’s e-mail to decide what to keep and what to destroy (delete). It is better just to keep the e-mail, consistent with the retention and privacy practices generally applicable for all employees.

Email is an Asset of the Enterprise

E-mail records memorialize intellectual property development by employees (such as an inventor or engineer), and they record when and under what conditions trade secrets are shared with business partners. In intellectual property (IP) disputes, proving the time and date that particular events transpired is essential. The beauty of email records is that every message is stamped with time and date.

Today, e-mail records are critical to many investigations and disputes; they are even critical under search warrants, where law enforcement seizes records under court supervision. In Jane Doe v. Norwalk Community College (a sexual harassment case), the court sanctioned a college for destroying electronic records of a suspect teacher after he left the college. The same could happen to any educational institution (public or private . . . higher, secondary, primary, K-12).

E-mail records show what commitments employees did and did not make on behalf of the employer. In Cloud Corp. v. Hasbro, 314 F.3d 289 (7th Cir. 2002), employee e-mail effectively modified a paper-written contract that said it could not be modified except by a “signed writing”. E-mail can be a legally-binding “signed writing” that memorializes the employer’s rights and responsibilities under contracts.

Federal Sentencing Guidelines

E-mail records showing day-to-day education and supervision of employees are consistent with the expectations of the Federal Sentencing Guidelines. The Sentencing Guidelines are the framework within which federal judges select penalties for convicted criminals. If a criminal happens to be an enterprise, the Guidelines call for leniency where the enterprise had taken steps to prevent and mitigate crime by employees. In other words, bad employees might go to jail, but their not-so-bad employer might avoid stiff criminal penalties.

Under the Sentencing Guidelines, the steps the employer must take include establishing and promoting an employee ethics program and then monitoring and disciplining employee conduct. To show that an employer did this, electronic mail records (ESI) can be key evidence. They can document regular education, supervision and discipline of employees.

Update: The Federal Sentencing Guidelines are proposed to be amended so as to place more emphasis on complete record retention.

Policy?

So precisely how long should employers keep email records? There is no one-size-fits-all answer. I have led in-house workshops to address this question at numerous, diverse enterprises. The outcome of these workshops has varied, depending on many factors, including corporate culture.

In my experience, the best email retention policy is one that is developed by collaboration of the various stakeholder departments in the enterprise (legal, IT, HR, operations et al.). Normally, these different stakeholders start with different positions on what the policy should say. But, in my experience, after the stakeholders have talked through the issues, they tend to compromise their positions and coalesce into a policy that is unique to the enterprise.

P.S. Employers may believe that by deleting email they are preventing a future eDiscovery adversary from conducting a so-called fishing expedition through the records. However, I argue that the advantages of generous record retention outweigh the risk of a fishing expedition.

IT Administrators

Twitter

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.